Capturing Linux EC2 Memory using AWS SSM, IAM, and S3 (PoC)

I thought I’d just focus on a small script for this post. The idea was to build the necessary tool (.ko file made using LiME) on a test instance, which is just a copy (AMI) of the infected host, to use on the infected host — light footprint possibly? This script will do the following:

  1. Create an AMI of the “infected” instance
  2. Create a test instance from AMI and assign a role (more info below)
  3. Download LiME and build .ko file on test instance
  4. Upload .ko file to s3 and terminate test instance
  5. Download .ko file to running infected host and dump memory to file
  6. Upload memory dump file to s3

This role will allow SSM commands and S3 uploads/downloads. Under IAM, I used the AmazonEC2RoleforSSM policy for my ForensicsRole.

I have the file sitting in S3...now it’s time to find some amzn Volatility profiles and validate…I know they exist…

Thanks for reading!

P.S. I may or may not have run this script with that easy-button policy (AdministratorAccess).